Windows Server Hacks: Restoring Shadow Copies Using the Command Line

Shadow copies is a new feature of Windows Server 2003 that automatically creates point-in-time copies or snapshots of files in shared folders. This lets users recover accidentally overwritten or deleted work without the need to ask an administrator to restore from backup, which saves administrators a lot of time and headache. The only requirement from the user end is that their own computer must have shadow copies client software installed; it can be downloaded from Microsoft's web site. Installing this client adds a Previous Versions tab to the Properties sheet of each file or folder the user can access within the share. For example, Figure 1 below shows that the file named doc.4.rtf has three previous versions, created at 1:34, 1:28 and 1:24 p.m. on July 1, 2004. These versions were created manually for test purposes--previous versions usually are created automatically at 12 noon and 5 p.m. Monday through Friday, provided that the default schedule is accepted when shadow copies are enabled on a volume.

Figure 1. Previous Versions tab for file doc.4.rtf

While shadow copies can be enabled on a volume and previous versions accessed using the GUI, Windows Server 2003 also includes a command-line utility called vssadmin that can be used to manage shadow copies on the server side. But what about using the command line to manage previous versions of files from the desktop end? The Windows Server 2003 Resource Kit includes a tool called volrest that can be employed for just that purpose; you can use it to list or search for previous versions of a file and restore such versions to the same or different locations.

Using Volrest

To use volrest, you first need to know the UNC path to the shared folder; for example, \\test220\reports would be the Reports share on the file server named SRV220. Let's say we want to access a previous version of the above file doc.4.rtf, which is located within the Annual Reports 2004 folder in this share. In this case, the UNC path to this particular file would be "\\test220\reports\Annual Reports 2004\doc.4.rtf"; the quotation marks are needed because of spaces in the pathname. To list all available versions of this file, just type the following at the command line:

Note that for each snapshot of the file, volrest displays the following information:

The date and time the file was modified

The size of the file

The date and time the snapshot was taken (embedded in the UNC path to the version)

Let's say it's the second version, saved at 18:28 GMT (1:28 CST), that we're interested in recovering, since it contains information that was accidentally deleted before the next version was saved. To recover that particular version, you would simply type:

This will restore all three previous versions of the file to the temporary folder named E:\Stuff that you created; you can then copy to your home folder the version of the file you want to keep and make it your new working copy. The output of typing this command looks like this:

Note that these previous versions are listed from most recent to oldest, so doc.4.rtf is the most recent snapshot of the file and doc.4(2).rtf is the oldest. This order is the same as that of the GUI's display of previous versions, as Figure 1 above can attest. Of course, if you don't know which particular previous version is the one that has the info you need, you can simply browse to examine each one or use the Indexing service to perform a full-text search on the contents of all the previous versions.

Note that volrest accepts wildcards in pathnames or filenames, and you can also use a drive letter instead of a UNC path if you have a drive letter mapped to the network share. Besides the /r switch, volrest has several other options you can learn about by typing volrest /? at the command prompt. Also note that volrest is insensitive to case for pathnames and filenames.